Ask HN: How to disclose a phishing vulnerability

5 points by youngian ↗ HN
I am hacking together a proof-of-concept of a phishing attack on the sites of some financial institutions (mostly to make a rhetorical point). Frankly, it's not rocket science. I imagine if the phishers wanted to, they could have developed this technique by now. But I haven't found any record of this particular type of attack being disclosed to the public.

So: am I obliged to treat this like a security vulnerability? Warn said institutions of the problem, give them a grace period to make changes, all that? Or should I just announce it publicly? Morally, what's the right thing to do? Legally, am I on any shaky ground one way or the other?

Oh, I should also mention that I have no expectation of this information actually convincing said institutions to change their ways. It's not like an open port on their server or something, and I am guessing they've sunk plenty of money into their system and aren't going to revamp it because of one windbag on the internet. Honestly, I'm concerned that if they give any response at all, it will be to threaten me with legal action or something if I don't keep it quiet.

7 comments

[ 3.9 ms ] story [ 30.2 ms ] thread
You might be right that the institutions won't take a phishing exploit seriously - after all, phishing is easy enough to pull off against most sites without exploiting any specific vulnerabilities (just send an email saying "Please respond with your SSN and password"). But what I would do is to send details to the vulnerable sites, and tell them you'll publish them in 30 days. If they respond and ask for more time for a fix, you can give it to them. Probably they won't respond, and then you can just go public knowing that you've done your best.
I'll second the question, but for a different reason. I once noticed a vulnerability on Facebook, and as a responsible citizen, took screenshots of what was happening and wrote a friendly email explaining how it could be used to compromise another user. I explained that I had just stumbled across the problem and wanted to be sure they knew it was there, and how to fix it.

Their response was to lock my account for a day for "suspicious activity". Once they unlocked it, they changed my password and informed me that I must have carelessly given my credentials to an attacker (which had nothing to do with the problem I reported). Their email was extremely rude and threatening. As a result, I would never dare inform the financial institutions of their problems unless I worked for their security team, for fear of being prosecuted. So as a follow-up question: what has been the response you've received in the past from such action? And indeed, how do you avoid coming across as a malicious hacker?

That's a good point that I didn't think of in my earlier reply. If you disclose - either privately or publicly - be prepared for the chance of a litigious response. If you can publish a generic example that isn't tied to any particular site or institution, it might help avoid this.
Is the generic-ness meaningful on legal grounds, or just giving you better odds that no one will take it personally, panic, and call in the lawyers? I'm assuming the latter, since I imagine most litigation that arises in situations like this is more about trying to sweep it under the rug than an actual legal case.
Yeah, I was thinking the latter.
How is a phishing vulnerability based off a singular site? Phishing are just tricks How is a phishing vulnerability based off a singular site? Phishing are just tricks to get the user to give you their credentials in belief you are the site in some way (staff, admin, etc.). It's basically social engineering, how exactly is yours specific to this site? There's nothing you can really do to prevent a phishing attack against your site via defensive programming.to get the user to give you their credentials in belief you are the site in some way (staff, admin, etc.). It's basically social engineering, how exactly is yours specific to this site? There's nothing you can really do to prevent a phishing attack against your site via defensive programming.
This is an attack that circumvents a specific anti-phishing mechanism these sites use. So while obviously other types of phishing attacks are possible against these sites, this one is more dangerous and is targeted at certain sites in particular.